Results 1 to 5 of 5

Thread: InboundGateway: FilterSecurityInterceptor invoked before XwsSecurityInterceptor

  1. Feb 5th, 2013, 05:35 AM #1
    dijksvi
    dijksvi is offline Junior Member
    Join Date
    Dec 2012
    Posts
    10

    Default InboundGateway: FilterSecurityInterceptor invoked before XwsSecurityInterceptor

    I've exposed a webservice via an <int-ws:inbound-gateway> to which I've added security via the XwsSecurityInterceptor. The interceptor is registered on the UriEndpointMapping for the webservice (see code)

    Code:
        @Bean
    public XwsSecurityInterceptor xwsSecurityInterceptor() {
    	XwsSecurityInterceptor securityInterceptor = new XwsSecurityInterceptor();
    	Resource policyConfiguration = new ClassPathResource("security-policy.xml");
    	securityInterceptor.setPolicyConfiguration(policyConfiguration);
    	securityInterceptor.setCallbackHandler(this.springPlainPasswordValidationCallbackHandler());
    	return securityInterceptor;
    }

    @Bean
    public UriEndpointMapping uriEndpointMapping() {
    	String urlContext = urlContext();
        UriEndpointMapping endpointMapping = new UriEndpointMapping();
        Map<String, Object> endpointMap = new HashMap<String, Object>();
        endpointMap.put(urlContext + "/ws/notification", notificationInboundGateway);
        endpointMap.put(urlContext + "/ws/attachment", attachmentInboundGateway);
        endpointMapping.setEndpointMap(endpointMap);
        EndpointInterceptor[] interceptors = {xwsSecurityInterceptor};
        endpointMapping.setInterceptors(interceptors);
        return endpointMapping;
    }

    private String urlContext() {
    	StringBuilder builder = new StringBuilder();
    	builder.append(environment.getProperty("ws.host"));
    	builder.append(":");
    	builder.append(environment.getProperty("ws.port"));
    	builder.append("/");
    	builder.append(environment.getProperty("ws.context.root"));
    	return builder.toString();
    }
    All of this is working fine. Now I'm trying to add authorization so that based on a set of roles I can configure permissions to my web-services. Reading the spring security reference manual I ended up in doing so via the FilterSecurityInterceptor that nicely allows me to define a matching URL plus some roles that are allowed for this.

    The problem I currently encounter is that the FilterSecurityInterceptor, which is NOT an endpoint interceptor, is called BEFORE the XwsSecurityInterceptor. As the FilterSecurityInterceptor needs access to the Principle – which is set on the SecurityContextHolder by the XwsSecurityInterceptor – it throws an error as it can't find it yet.

    So my question is how can I make sure that the FilterSecurityInterceptor is invoked AFTER the XwsSecurityInterceptor. Am I doing something conceptually wrong? Is it a question of specifying the URLs for each interceptor in a different way?

    Any help/suggestion is highly appreciated.

    Thanks,

    Vincent
    Reply With Quote Reply With Quote
  2. Feb 5th, 2013, 06:17 AM #2
    Cleric
    Cleric is offline Senior Member
    Join Date
    Jan 2009
    Location
    Ukraine, Kharkov
    Posts
    646

    Default

    Hi!
    FilterSecurityInterceptor, which is NOT an endpoint interceptor, is called BEFORE the XwsSecurityInterceptor
    Of course, it is. Because the first one is a responsibility of HTTP, but the other one is about SOAP.
    So, HTTP protocol works first .
    Nevertheless, I recommend you to ask this question on the Spring-WS forum.
    By the way, maybe this will be OK for your case: http://static.springsource.org/sprin...ngle/#security

    Take care,
    Artem
    Reply With Quote Reply With Quote
  3. Feb 5th, 2013, 07:19 AM #3
    dijksvi
    dijksvi is offline Junior Member
    Join Date
    Dec 2012
    Posts
    10

    Default

    Hi Artem,

    Thanks for you quick reply. I will post the question on the spring-ws forum in case your suggestion to define the interceptor on the channel doesn't work out. That being said, I feel that it will do the trick.

    Thanks,

    Vincent
    Reply With Quote Reply With Quote
  4. Feb 5th, 2013, 09:28 AM #4
    dijksvi
    dijksvi is offline Junior Member
    Join Date
    Dec 2012
    Posts
    10

    Default

    Just tried the solution and it works perfect. That being said I found very little information on how to configure the access policy for the secured channel. For interest, the pattern refers to the ID of the channels that need to be intercepted.

    Vincent

    Code:
    <int-security:secured-channels
    access-decision-manager="accessDecisionManager"
    authentication-manager="authenticationManager">
    <int-security:access-policy pattern="echo.*" receive-access="ROLE_USER" send-access="ROLE_ADMIN"/>
</int-security:secured-channels>
    Reply With Quote Reply With Quote
  5. Feb 5th, 2013, 09:50 AM #5
    Mark Fisher
    Mark Fisher is offline Senior Member Spring Team
    Join Date
    Oct 2005
    Location
    Boston, MA
    Posts
    2,844

    Default

    Vincent,

    The reference manual includes a (brief) section covering secured channels:
    http://static.springsource.org/sprin...uring-channels

    If you think that could be enhanced, please feel free to open a JIRA request:
    https://jira.springsource.org/browse/INT

    Thanks,
    Mark
    Mark Fisher
    Spring Integration Lead
    SpringSource, a division of VMware
    http://www.springsource.com
    http://www.springsource.org/spring-integration
    http://blog.springsource.com/main/author/markf
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules